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We present a solution to an old and timely problem in dis- 
tributed computing. Like Quantum Key Distribution (QKD), 
quantum channels make it possible to achieve taks classically 
impossible. However, unlike QKD, here the goal is not se- 
crecy but agreement, and the adversary is not outside but 
inside the game, and the resources require qutrits. 



Entanglement is a resource that allows quantum 
physics to perform tasks that are classically impossible. 
This is the new leitmotif of quantum information pro- 
cessing. The best known examples are quantum cryptog- 
raphy ||l|,|| and Shor's algorithm to efficiently factorize 
large numbers 0. There arc numerous other examples, 
but admittedly many of them look quite artificial. This 
can be understood by the fact that the field is rather 
young and one has to learn to think about problems 
in a completely new way. In this letter we consider an 
old information-theoretical problem in the field of fault- 
tolerant distributed computing, known as the Byzantine 
agreement problem B and present a solution which ex- 
ploits entanglement between three qutrits (i.e., three 3- 
dimensional quantum systems). 

Imagine that several divisions of the Byzantine army 
are camped outside an enemy city, each division com- 
manded by its own general. The generals can communi- 
cate with one another only by messengers. One of the 
generals, the commanding general, after observing the 
enemy, must decide on a plan of action and communicate 
it to the other generals. However, some of the generals 
(especially the commanding general himself) might be 
traitors, trying to prevent the loyal generals from reach- 
ing agreement on the plan of action. The question hence 
is whether there is a protocol among the generals that, 
after its termination, satisfies the following conditions: 

1. All loyal generals agree on a common plan of action. 

2. If the commanding general is loyal, then all loyal 
generals agree on the commanding general's plan. 

More precisely we define Byzantine agreement (shortly 
broadcast) as follows. 

Definition 1: A protocol among n players such that 
one distinct player S (the sender) holds an input value 
xs (z T) (for some finite domain V) and all other players 
(the receivers) eventually decide on an output value in 
V is said to achieve broadcast if the protocol guarantees 
that all honest players decide on the same output value 
y G T) and that y — xs whenever the sender is honest. 



In modern terms, this problem concerns coordination 
in distributed computing (among several processors or 
computers) where some of the processors might fail. For 
example, a database can be replicated among several 
servers in order to guarantee access to the database even 
if some of the servers misbehave. Nevertheless, an in- 
consistent external update of the database must result in 
all honest servers having exactly the same views on the 
database. Consider for instance that the database con- 
tains the price of valuable goods, or currency exchange 
rates. It is then important that no adversary, not even 
an inside adversary, can affect the coordination in such 
a way that the prices would be low somewhere and high 
elsewhere. 

The broadcast problem has been considered in a vast 
literature and has developed several variations 0] . Here 
we shall define the problem more precisely as follows. 
Three players are connected by pairwise authenticated 
classical and quantum channels, see Fig. 1. For simplic- 
ity, we assume the channels to be error free — generally, 
errors would have to be additionally dealt with by means 
of error correction codes. The general purpose is that one 
of the players, namely the sender {S for short), broad- 
casts a bit to his two partners, the receiving players Rq 
and Ri. Both receivers should end with the same value. 
However, one - and at most one - of the three players 
might actually be an active adversary. For instance, a 
dishonest sender could send different bit values to Rq 
and Ri. The receivers may realize that there is a prob- 
lem simply by exchanging their bits. But then, player Ri 
cannot conclude whether the sender is dishonest and he 
should keep the bit received from Rq or whether player 
Rq is cheating and he should keep the bit received from 
the sender. It is not too difficult to convince oneself that 
because the players have only access to pairwise channels, 
this task is not obvious. 

If the players have access only to classical pairwise au- 
thenticated channels, the broadcast problem is provably 
unsolvable |Q,|[. This even holds for arbitrary pairwise 
communication, i.e., not even quantum channels can help 
to solve the problem ||^. However, we shall demonstrate 
that the additional resource of the quantum channel al- 
lows them to solve a slightly weaker problem, namely de- 
tectable broadcast, which is powerful enough for a large 
range of applications of this problem. 

Definition 2: A protocol among three players such that 
one distinct player 5* (the sender) holds an input value 
Xs E V (for some finite domain V) and the other two 
players (the recipients) eventually decide on an output 



value in 2? is said to achieve detectable broadcast if the 
protocol satisfies the following conditions: 

1 . If no player is corrupted then the protocol achieves 
broadcast. 

2. If one or more players are corrupted then either the 
protocol achieves broadcast or all honest players 
abort the protocol. 



Note that detectable broadcast cannot be solved only 
with pairwise authenticated classical channels. However, 
we demonstrate that pairwise authenticated classical and 
quantum channels are sufficient to solve the problem. Ba- 
sically, we solve the problem by having the players 

1. distribute entanglement, 

2. check that the entangled states are not corrupted, 
and 

3. use them to solve the problem. 

At first sight, this sounds very similar to quantum 
cryptography. But, actually, it is very different! Indeed, 
here we do not require any secrecy: what counts is to 
avoid any discord. Also, here, in contrast to quantum 
cryptography, the adversary is not an outside player, but 
might be anyone among the three players. Finally, here, 
the entanglement requires entangled qutrits, contrary to 
quantum cryptography where qubits suffice. 

The first point of the above program, i.e. distribut- 
ing entanglement, is trivial (in theory), since we assume 
that quantum channels are available. The testing (i.e. the 
second point), however, is tricky. Indeed, the testing re- 
quires (classical) communication between the three play- 
ers. But the adversary being inside the game could cor- 
rupt this communication phase. Especially at the last 
round of the communication phase, the adversary could 
send contradictory messages to the two honest players. 
In other quantum information protocols involving more 
than two players, e.g., in quantum secret sharing [Q, 
this problem is avoided by assuming that the players can 
broadcast their (classical) messages. But here broadcast- 
ing is not assumed among the primitives, on the contrary, 
it is the goal of the game. Below we show how to break 
this vicious circle! But first, we need to explain how the 
three players can use entangled qutrits to solve the prob- 
lem. 

Let us assume that the 3 players share many qutrits 
triplets '^j, each in the Aharonov state \A): 

\A) = (|0, 1, 2)^ + |1, 2, 0)^ + |2, 0, 1)^ (1) 

- |0, 2, 1)™-|1, 0,2)^-12,1,0)^)-^ 

where |0, 1, 2)^ denotes the tensor product state |0)^ (8) 
|l)m 'Si |2),51. If one identifies qutrits with spin-1 and as- 
sociates the state |2)/^ with the eigenvalue —1 of the spin 



operator mS, then the Aharonov state is the unique three 
spin-1 state of total spin zero. Consequently - and anal- 
ogously to the singlet state of qubit pairs - the Aharonov 
state is invariant under tri-lateral rotations: it keeps the 
same form m) for all directions m, where \Q)m, |l)m and 
|2)^ are the 3 eigenvectors of the spin operator rhS. We 
shall exploit the fact that whenever the three qutrits are 
all measured in the same basis, then all three results dif- 
fer. 

With the help of this additional resource, i.e., the 
Aharonov states, the protocol runs as described below. 
At each step we comment on the reasons why this is safe. 
Actually, all steps are rather trivial, except the last one 
which needs a careful analysis. 

1. First, the sender S sends the bit x to be broadcast 
to the two receivers Rq and Ri, using the classical 
channels. Let us denote xq and xi the bits received 
by i?o and Ri, respectively. Next, the Sender S 
measures all his qutrits in the z-basis. Whenever 
he gets the result x, S sends the index j to both 
receivers Q. Accordingly, the players Rq and i?i 
receive each a set of indices, Jq and Ji, respectively 
(label® on Fig. 1). 

2. Both receivers test the consistency of their data. 
For this they measure their qutrits in the z-basis. 
If all results with indices in Jp differ from Xp, then 
player Rp has consistent data and he sets a flag j/p = 
Xp. If a set of data is inconsistent, then the player 
sets his flag to i/p —1- (interpreted as inconsistent). 

3. The two receivers send their flags to each other. If 
both flags agree then the protocol terminates with 
all honest players agreeing on x. 

4. If Up =_L, player Rp knows that the sender is dis- 
honest. He concludes that the other receiver is hon- 
est and he simply accepts the bit he receives from 
him (If 2/0 = yi =-L, then they both end with the 
"value" _L). 

5. It remains only the interesting case that both re- 
ceivers claim that they received consistent, but dif- 
ferent, data. The strategy we propose then is that 
player Ri will not change his bit yi, unless player 
Rq convinces him that he did indeed receive the bit 
Ho from the sender in a consistent way. To convince 
his partner of his honesty, player Rq sends him all 
the indices k E Jo for which he has the result 1 — yo 
(label® on Fig. 1). 

6. Receiver i?i now checks that he gets "enough" in- 
dices k from Rq such that 

(a) "almost all Q" indices k from Rq are not in 
-Ri's index set Ji, and such that 

(b) these k indices correspond to qutrits for which 
i?i's results are "almost all" equal 2. 



If i?o indeed got an index set that is consistent with 
bit j/o then S holds yo, Rq holds 1 — yo, and hence, 
i?o's result must be a 2. If the test succeeds, player 
i?i changes his bit to j/Oi otherwise he keeps yi. 

Let us examine why player Rq cannot cheat (see Table 
1). Assume that Rq receives the bit xq = 0, but pretends 
that he got 1. To convince the receiver i?i to accept 
his " pretended bit" , player Rq must first announce that 
he received consistent data (which is true, but with bit 
value 0), and next send a sufficiently large set of indices 
{k} with almost no intersection with Ji and for which 
i?i almost always has the result 2. Since player Rq has 
no information on the indices outside Jq for which he 
measured 1 — yo (other than 1 — yo itself) , approximately 
half of the indices that player Ri gets are different from 
2 — which is not accepted by player i?i . 

Let us stress two important features of this protocol. 
First, the last player, i.e., player i?i, almost never talks 
(he only sends his value j/i to Rq). Moreover, if the sender 
is honest, then the last player never changes his mind. 
This is important for the distribution and test phase of 
the protocol described below. Second, a third noticeable 
point is that our protocol uses trits and not bits. Clearly, 
trits can always be encode as 2 bits, like qutrits can be re- 
alized as 2-qubit in symmetric states. But fundamentally, 
the protocol requires trits (and we convinced ourselves, 
but without a proof, that no protocol using intrinsically 
only bits exists). 

So far we described a protocol assuming that the 3 
players share a large collection of qutrit triplets in the 
Aharonov state (M. We now describe a protocol to dis- 
tribute and test such states. This protocol uses only pair- 
wise communication, in particular no broadcasting is as- 
sumed. Nevertheless, the protocol has only two possible 
outcomes: global success or global failure. By global we 
mean that all honest players end with the same conclu- 
sion. In case of failure, the broadcasting protocol does 
not even start. In case of success, broadcasting can be 
realized reliably. 

The distribution-&-testing protocol works as follows: 

1. Player i?i prepares many qutrit triplets ^^ in the 
Aharonov state (|l|) . For each index j he sends one 
qutrit to player S and one to Rq (label® on Fig. 
l). 

2. Both S and _Rq check that their qutrits are in the 
maximally mixed state. In case of success, they set 
a fiag fp to 1, else to 0. 

3. Player Rq sends a sample of his qutrits to S (label 
(3) on Fig. 1). Player S tests that the sample of 
qutrit pairs he now holds are in the correct state 
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= o (-f'|l,2>-|2,l) + -F'|2,0)-|0,2> + -P|0,1>-|1,0)) 



If the test fails, then he sets his flag to 0: fs — 0. 

4. Player Ri sends a sample of his qutrits to Rq and 
another sample to S. Both Rq and S test their 
qutrit pairs as in the previous point 3. If the test 
fails they set their flag to 0. 

5. Player S and Rq exchange their flag. If a player 
receives a 0, then he sets his flag to zero. 

6. Both players S and Rq broadcast their flags using 
the protocol described previously. 

7. Any player with flag 1 who received a 0-flag changes 
his flag to 0. 

At first, the step 6 of the above protocol seems im- 
possible, since the broadcast protocol requires reliable 
Aharonov states! Nevertheless, let us look closer at this 
step. If player Ri does not produce the correct states, 
then, since by assumption there is no more than one dis- 
honest player, players S and Rq are honest and both will 
end with their flag on failure: fs — Jrq — 0. Let us 
thus assume that all states \I'j = \A). Consequently, the 
broadcasting is reliable. All what a dishonest player S, 
Rq or i?i could do is to act in such a way that the flags 
are set to |ll[ . But during the last step of the proto- 
col, i.e., the broadcast sessions, both the one initiated by 
S and the one initiated by Rq are reliable. Hence it is 
impossible that some players end this protocol thinking 
that a status of success has been reached, while another 
one thinks the opposite. Moreover, if all players agree on 
success, then they share Aharonov states and they can 
reliably run the broadcast protocol. 

The field of quantum communication is still in its in- 
fancy. Only very few protocols concern more than two 
parties and almost all use qubits. In this letter we pre- 
sented a protocol among three players connected by pair- 
wise quantum channels able to transmit qutrits and to 
preserve their entanglement. The protocol is a version 
of the well known Byzantine agreement problem, a very 
timely problem in today's information based society. Ad- 
mittedly, the problem has been slightly adapted to fit into 
the quantum frame, a natural synergy between classical 
and quantum information theories. It is not too difficult 
to generalize our result to n players with t < § cheaters, 
though this is beyond the present letter |12]. One may 
question whether the use of qutrits is necessary or not for 
broadcasting. Though this is still an open question, it is 
clear that the present protocol is intimately related to 
the Aharonov state (the natural generalization to three 
parties of the well known singlet state of two qubits), 
hence to qutrits. 

Two other features of our protocol should be men- 
tioned. First, the quantum states are used "only" to 
distribute classical private random variables with specific 
correlation to the 3 players (a trit per player, each of a 
different value, all combination with equal probabilities). 
This is similar to quantum cryptography where quantum 



mechanics "only" provides key distribution. However, 
contrary to the "one-time-pad" algorithm used in con- 
junction with quantum key distribution, the present algo- 
rithm was itself inspired by the elegance of the Aharonov 
quantum state. Finally, experimental demonstration of 
the protocol can be realized with today's technology, us- 
ing photons and 3-paths interferometers. Actually one 
would not need to prepare 3 entangled photons, two 
would suffice since the preparer Ri could measure his 
qutrit immediately, similarly to the demonstration of 
quantum secrete sharing using pairs of photons p3| . 

Work supported by the Swiss Science Foundation. 



states |q,i > are mutually orthogonal, this is precisely the 
Aharonov state (up to phases that can be changed locally 
and do not affect the correlation in the z-basis). An equiv- 
alent test can be performed using only local measure- 
ments in randomly chosen bases and classical pairewise 
communication: S choses the bases and Rq announces 
his results. 

[11] Similarly to QKD where Eve can block the key distribu- 
tion, but not extract information. 

[12] M. Fitzi, N. Gisin, U. Maurer, and O. von Rotz. Un- 
conditional byzantine agreement and multi-party compu- 
tation secure against dishonest minorities from scratch. 
Manuscript, 2001. 

[13] W. Tittel, N. Gisin and H. Zbinden, Phys. Rev. A 63, 
042301, 2001. 
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Fig 1: Flow of classical (straight lines) and quan- 
tum (wavy lines) information. Note that both kinds 
of information flow exactly in opposite direction. 
This is needed to avoid that the adversary can bring 
in confusion at the last communication round. 



/// IV V VI 

11 2 2 

2 1 

2 10 



Jo Jl 

TABLE I. After measuring their qutrits, the sender S and 
receivers _Ri and Ro results fall into 6 classes, labeled with 
Roman numbers. The index-sets Jo and J\ associated to the 
bit values and 1 correspond to the labels I, II and III, IV, 
respectively. If Ro receives the bit and the set Jo he can 
announce to Ri all cases where he has the bit 1: all cases 
labeled by I. For all these cases R\ has the value 2. However, 
if -Ro tries to cheat and pretends to have received a bit 1, then 
he can't differentiate between the cases labeled IV and V. For 
the latter, _Ri has a value 1, he can thus detect cheating Rq. 




